FreshPorts - VuXML
This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
List all Vulnerabilities, by package
List all Vulnerabilities, by date
These are the vulnerabilities relating to the commit you have selected:
|31db9a18-e289-11e1-a57d-080027a27dbf||rubygem-rails -- multiple vulnerabilities|
Rails core team reports:
This version contains three important security fixes, please upgrade immediately.
One of security fixes impacts all users and is related to HTML escaping code. The
other two fixes impacts people using select_tag's prompt option and strip_tags
helper from ActionPack.
CVE-2012-3463 Potential XSS Vulnerability in select_tag prompt.
CVE-2012-3464 Potential XSS Vulnerability in the HTML escaping code.
CVE-2012-3465 XSS Vulnerability in strip_tags.
|ca5d3272-59e3-11e2-853b-00262d5ed8ee||rubygem-rails -- multiple vulnerabilities|
Ruby on Rails team reports:
Two high-risk vulnerabilities have been discovered:
(CVE-2013-0155) There is a vulnerability when Active Record is
used in conjunction with JSON parameter parsing.
Due to the way Active Record interprets parameters in combination
with the way that JSON parameters are parsed, it is possible for an
attacker to issue unexpected database queries with "IS NULL" or
empty "WHERE" clauses. This issue does not let an attacker insert
arbitrary values into an SQL query, however they can cause the
query to check for NULL or eliminate a WHERE clause when most users
would not expect it.
(CVE-2013-0156) There are multiple weaknesses in the parameter
parsing code for Ruby on Rails which allows attackers to bypass
authentication systems, inject arbitrary SQL, inject and execute
arbitrary code, or perform a DoS attack on a Rails application.
The parameter parsing code of Ruby on Rails allows applications to
automatically cast values from strings to certain data types.
Unfortunately the type casting code supported certain conversions
which were not suitable for performing on user-provided data
including creating Symbols and parsing YAML. These unsuitable
conversions can be used by an attacker to compromise a Rails